lution. It's one of two firewall vendors that I highly recommend to companies.
More Palo Alto HA Cluster Installs
Palo Alto has a great firewall so
October Palo Alto 850 HA Install
Palo Alto Firewall: Testing PBF (Policy Based Forwarding) In CLI
PBR (or PBF as Palo calls it), is a really great feature. Policy Based Forwarding (in the network world, we call it policy based routing) is a feature where you can control where packets go without using the routing table. You set a destination based on certain parameters that you define (like source, protocol, etc) and it catches this PBF policy BEFORE it hits the routing table. Here is how you test it in CLI, to verify it works the way you want it to.
PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.1.5 destination 5.5.5.5 protocol 6 destination-port 443
"Exchange; index: 8" {
id 9;
from L3-Inside;
source 192.168.1.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 68.68.68.68;
terminal no;
}
PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.1.5 destination 5.5.5.5 protocol 6 destination-port 443
"Exchange; index: 8" {
id 9;
from L3-Inside;
source 192.168.1.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 68.68.68.68;
terminal no;
}
Palo Alto Firewall: CLI Command To Verify Optic Module
Guys, real quick, if you need to check the SFP status to know if the Palo is seeing it or not, here is a CLI command to help you determine if it is. The below is a Proline SFP.
killen@PA-850> show system state filter sys.s1.p9.phy
sys.s1.p9.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding':
8B10B, 'identifier': SFP, 'transceiver': 1000B-SX, 'vendor-name': PROLINE , 'vendor-part-nu
mber': PAN-SFP-SX-PRO , 'vendor-part-rev': A3 , }, 'type': Ethernet, }
killen@PA-850> show system state filter sys.s1.p9.phy
sys.s1.p9.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding':
8B10B, 'identifier': SFP, 'transceiver': 1000B-SX, 'vendor-name': PROLINE , 'vendor-part-nu
mber': PAN-SFP-SX-PRO , 'vendor-part-rev': A3 , }, 'type': Ethernet, }
Palo Alto Firewall: PBF (Policy Based Forwarding) Testing In CLI
Did you know you can test your policy based forwarding yourself in CLI on the Palo Alto firewall? You sure can. Below, Im testing my zone L3-Inside (my inside zone) to verify it will go out Ethernet 1/3 port. Based on the response below, it looks like it does work without having to involve the server guys.
killen@PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.5.5 destination 77.77.77.77 protocol 6 destination-port 443
"Exchange; index: 8" {
id 9;
from L3-Inside;
source 192.168.5.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 65.65.65.65;
terminal no;
}
allen@PA850-1(active)>
killen@PA850-1(active)> test pbf-policy-match from L3-Inside application web-browsing source 192.168.5.5 destination 77.77.77.77 protocol 6 destination-port 443
"Exchange; index: 8" {
id 9;
from L3-Inside;
source 192.168.5.5;
destination any;
user any;
application/service any/any/any/any;
action Forward;
symmetric-return no;
forwarding-egress-IF/VSYS ethernet1/3;
next-hop 65.65.65.65;
terminal no;
}
allen@PA850-1(active)>
Palo Alto Firewall: Adding A Static Route In CLI
Real quick, I think this is useful for adding a lot of static routes into a Palo Alto. SSH in and do this in CLI and type "configure". Then type out the following:
set network virtual-router [name of virtual router i.e. default] routing-table ip static-route [name of route i.e. Shanes-Route] admin-dist 10 destination [network/subnet mask i.e 10.10.10.0/24] interface [name of interface to be used outgoing i.e. ethernet1/1] nexthop ip-address [next hop ip i.e. 4.4.4.4]
set network virtual-router [name of virtual router i.e. default] routing-table ip static-route [name of route i.e. Shanes-Route] admin-dist 10 destination [network/subnet mask i.e 10.10.10.0/24] interface [name of interface to be used outgoing i.e. ethernet1/1] nexthop ip-address [next hop ip i.e. 4.4.4.4]
Add 50 or so of them from notepad at one time, then type in "commit".
Palo Alto Firewall: Verifying A Route In CLI
Real quick, how do you verify what interface a destination route goes out of the Palo Alto in CLI? Here is what you do:
PA850-1(active)> test routing fib-lookup virtual-router vsys_router ip 192.168.1.5
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: vsys_router
destination: 192.168.1.5
result:
via 5.5.5.5 interface ethernet1/3, source 5.5.5.6, metric 10
--------------------------------------------------------------------------------
Right there it is. Its ethernet1/3 in this case. I wanted to know what interface 192.168.1.5 would be going out, and with the above command, it tells me. Note that "vsys_router" is your virtual router that you have defined for routing. It may be default in your case, or whatever you named it.
PA850-1(active)> test routing fib-lookup virtual-router vsys_router ip 192.168.1.5
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: vsys_router
destination: 192.168.1.5
result:
via 5.5.5.5 interface ethernet1/3, source 5.5.5.6, metric 10
--------------------------------------------------------------------------------
Right there it is. Its ethernet1/3 in this case. I wanted to know what interface 192.168.1.5 would be going out, and with the above command, it tells me. Note that "vsys_router" is your virtual router that you have defined for routing. It may be default in your case, or whatever you named it.
SSL Decrypt
Most NGFWs have the ability to do SSL decryption, and its a really good idea to do so. Many attacks now come through encrypted packets, and they need to be inspected. If you have the capability to do SSL decryption, you should be doing this.
Palo Alto Firewall: PA-200 Replacement
I went on-site to a consumer to replace a PA-200 that was having some issues. I got the software, global protect, and app and threats to the same version and then did a restore from a backup I had taken. It's not a bad price process to go through.
Palo Alto Firewall: Upgrade From 7.1.x To 8.0.9 On HA Pair
Well, what should have been an easy upgrade turned ugly on me today. I've upgraded many Palo Altos is my career. What a great product. But today, I spent three hours working through a Palo that wouldn't boot up after the upgrade to 7.1.17. Thankfully, it was an HA pair and the customer didn't experience any real downtime.
After a factory reset, getting to the same software version and importing the config back in, we were back to its original state again. So with a download of the base 8.0 software and a download and install of 8.0.9 on both units, all is good.
After a factory reset, getting to the same software version and importing the config back in, we were back to its original state again. So with a download of the base 8.0 software and a download and install of 8.0.9 on both units, all is good.
What does that STS amber LED mean? Well, its still bootIng firewall services. You can login to the console, but you still may have to wait for a few minutes for all the services to come up. You should see a "System initializing; please wait... (CTRL-C to bypass)" in the CLI during this time. When the STS amber LED goes green, then you should be good to go for CLI config.
I had a unit that kept the amber LED on STS. I had to do a factory reset to overcome this problem.
I had a unit that kept the amber LED on STS. I had to do a factory reset to overcome this problem.
I've been working on a pair of Palo Alto 3020s in HA mode. I really like the Palo Alto firewall. Don't get me wrong, I like "working" on most firewalls. But Palo Alto (and Check Point) just ranks to me as the best on the market. I've been consistent in saying this for sure. And working on this cluster, I certainly recall why.
Just FYI, I have noticed in the past few years, its been Palo Alto and Check Point at the top of the list for NGFWs. For 2016, Gartner says that for sure.
Just FYI, I have noticed in the past few years, its been Palo Alto and Check Point at the top of the list for NGFWs. For 2016, Gartner says that for sure.
NGFW 2016 Gartner Chart
This is interesting. I have always believed Palo and CP were the leaders. It still appears that way according to Gartner.
This is interesting. I have always believed Palo and CP were the leaders. It still appears that way according to Gartner.
Palo Alto Firewall: Ping With A Source Address
Just a quick post today about ping in CLI. You can use a particular source address of your choice that belongs to the Palo, should you need to. Typically, you do need to if you are going across a VPN. Here is the quick command, fill in your IPs of choice:
PA-3020> ping source 192.168.2.1 host 192.168.1.86
PA-3020> ping source 192.168.2.1 host 192.168.1.86
Ref https://www.shanekillen.com/search/label/Palo%20Alto%20Firewall
No comments:
Post a Comment